Your question to me was whether all of the organizations were using the same template, and I think at the time we did the audit we found that there were inconsistencies in how different organizations were assessing risks. So I think the direct answer to the question, as I understood it, is that at the time we did the audit, not everybody was using exactly the same approach.
On April 16th, 2013. See this statement in context.